1
00:00:00,000 --> 00:00:18,279
*35C3 preroll music*
2
00:00:18,279 --> 00:00:22,850
Herald: And I have one last announcement before
we begin this talk. This is a personal
3
00:00:22,850 --> 00:00:27,850
announcement to whoever slapped this
sticker saying "for rectal use only" onto
4
00:00:27,850 --> 00:00:30,710
my microphone.
*loud laughing*
5
00:00:30,710 --> 00:00:34,450
Microphones are not supposed to be used
this way.
6
00:00:34,450 --> 00:00:42,440
*applause*
7
00:00:42,440 --> 00:00:46,019
Please trust me. I am very familiar with
microphones.
8
00:00:46,019 --> 00:00:51,629
*laughing*
I know how they are supposed to be used.
9
00:00:51,629 --> 00:00:57,929
However our next speaker is going to tell
you about things that are supposed to be
10
00:00:57,929 --> 00:01:06,340
used this way and about how to secure and
protect those things. So please welcome
11
00:01:06,340 --> 00:01:12,260
the honor and the talk you all came here
to see. The Internet of dongs. A round of
12
00:01:12,260 --> 00:01:21,790
applause.
*applause*
13
00:01:21,790 --> 00:01:27,000
Okay so hello everyone. My name is Werner.
I'm working for a SEC consult as an IT
14
00:01:27,000 --> 00:01:33,140
security consultant. And besides
penetrating all the things at the SEC
15
00:01:33,140 --> 00:01:38,200
consult's vulnerability lab, I have been
studying information security for the last
16
00:01:38,200 --> 00:01:44,490
five years at the University of Applied
Sciences St. Pölten back in Austria and
17
00:01:44,490 --> 00:01:49,520
about a year ago I was facing a massive
challenge. Some people might know this
18
00:01:49,520 --> 00:01:54,800
challenge This challenge was to select a
proper topic for my master's thesis.
19
00:01:54,800 --> 00:02:01,530
*loud laughing*
You might know there are always those
20
00:02:01,530 --> 00:02:06,549
predefined topics by the universities.
Some of them are quite interesting. They
21
00:02:06,549 --> 00:02:10,970
are taken - yeah - most of the time quite
fast by the other students and you are
22
00:02:10,970 --> 00:02:15,760
left with the boring topics and I thought
to myself, I don't want to stress myself I
23
00:02:15,760 --> 00:02:21,239
just want to define a topic by myself. And
that was the challenge. So the first thing
24
00:02:21,239 --> 00:02:25,690
I did to get a better overview of the
topics was to take a look at the topics my
25
00:02:25,690 --> 00:02:29,990
colleagues have chosen and created a word
cloud out of that. So we have basically
26
00:02:29,990 --> 00:02:34,510
all the interesting topics there we have
bitcoins, we have GDPR, we have cyber
27
00:02:34,510 --> 00:02:41,460
cyber cyber, we have DevOps management,
malware. But some of you might have
28
00:02:41,460 --> 00:02:46,860
allready noticed it. There is one topic
missing at my colleagues thesises which is
29
00:02:46,860 --> 00:02:53,629
very very important in the year 2018 and
that's the Internet of Things. So I guess
30
00:02:53,629 --> 00:02:57,500
I don't have to explain here at the
Congress what the Internet of Things is.
31
00:02:57,500 --> 00:03:01,900
It's basically the interconnection of all
the devices which were analog a few years
32
00:03:01,900 --> 00:03:09,099
ago, with each other and even worse over
the Internet. I thought maybe I can
33
00:03:09,099 --> 00:03:13,720
combine the knowledge gathered at SEC
consult and conduct a penetration test in
34
00:03:13,720 --> 00:03:18,019
this Internet of Things. The problem here
is still there are like millions of
35
00:03:18,019 --> 00:03:22,019
products and I just have to write one
thesis, so I have to select one
36
00:03:22,019 --> 00:03:27,720
subcategory in this Internet of Things to
conduct a penetration test on. Of course
37
00:03:27,720 --> 00:03:32,689
the first thing which came to my mind
where smart home devices we already had a
38
00:03:32,689 --> 00:03:37,430
lot of interesting talks about smart home
devices. There are like smart coffee
39
00:03:37,430 --> 00:03:45,760
machines, smart lawnmowers, light bulbs,
thermometers and stuff like that. But this
40
00:03:45,760 --> 00:03:50,560
category has two problems. So, first of
all there is already a lot of research
41
00:03:50,560 --> 00:03:56,799
done. And the other problem is the impact.
So, I don't want to downplay the
42
00:03:56,799 --> 00:04:01,390
vulnerabilities which were found there,
but when there are vulnerabilities found I
43
00:04:01,390 --> 00:04:07,570
mean, yeah, if there is a DDoS on your
lawnmower you can just go out through your
44
00:04:07,570 --> 00:04:11,660
garden and mowe the lawn yourself. It's
not that big of a deal. So I thought I
45
00:04:11,660 --> 00:04:18,440
have to select a subcategory where the
impact is a little bit more critical. And
46
00:04:18,440 --> 00:04:25,120
I came up with the following devices. So,
for example: Smart dolls. There was this
47
00:04:25,120 --> 00:04:30,081
doll Kyla. Some of you might know it.
Someone found out that it has a built in
48
00:04:30,081 --> 00:04:35,170
microphone and the data was sent to some
dubious service in some dubious countries
49
00:04:35,170 --> 00:04:38,820
and it was even declared as an illegal
telecommunication device. It had to be
50
00:04:38,820 --> 00:04:43,480
destroyed. Or there is a lot of
interesting research at baby monitors. A
51
00:04:43,480 --> 00:04:47,050
colleague of mine wrote a very interesting
blog post, you should take a look at it.
52
00:04:47,050 --> 00:04:54,190
Or devices which affect our body. So, for
example smart pacemakers. They were
53
00:04:54,190 --> 00:04:58,390
developed by St. Jude Medical, that's the
biggest manufacturer of pacemakers in the
54
00:04:58,390 --> 00:05:04,040
world. And they built a pacemaker which is
programmable via Bluetooth. But yeah, they
55
00:05:04,040 --> 00:05:08,330
forgot authentication, which is quite a
big of a problem when everyone is able to
56
00:05:08,330 --> 00:05:17,100
reprogram your pacemaker. So as we can
see, at this categories the impact would
57
00:05:17,100 --> 00:05:21,720
be quite critical but there is again a lot
of research done. So the deadline was
58
00:05:21,720 --> 00:05:28,010
coming closer and closer. I had to hand in
some kind of topic for my master thesis. I
59
00:05:28,010 --> 00:05:32,010
was doing a lot of brainstorming with
myself and then suddenly it came to my
60
00:05:32,010 --> 00:05:38,000
mind. There is one category out there
where the impact would be very critical.
61
00:05:38,000 --> 00:05:41,990
And there is not a lot of research done
and that's the Internet of dildos. So
62
00:05:41,990 --> 00:05:48,670
that's basically the integration of sex
toys into the Internet of Things where we
63
00:05:48,670 --> 00:05:55,740
interconnect the dildos with each other
and over the Internet. But before I'm
64
00:05:55,740 --> 00:06:01,870
going to show you what I've found in this
internet of dildos, we have to talk about
65
00:06:01,870 --> 00:06:07,250
history, because you might think now
that's something new. But that's not true
66
00:06:07,250 --> 00:06:13,350
because the Internet of dildos as we know
it is existing for about 50 to 60 years.
67
00:06:13,350 --> 00:06:18,120
And as always when there are new
inventions or interesting ideas, they
68
00:06:18,120 --> 00:06:23,510
first appear in movies and that also
applies to the Internet of dildos. So,
69
00:06:23,510 --> 00:06:27,710
those are quite old movies, we have for
example Barbarella or Flash Gordon or
70
00:06:27,710 --> 00:06:34,500
Orgazmo. And in those movies, those are
real movies - it's not a joke.
71
00:06:34,500 --> 00:06:38,530
*laughing*
The Internet of dildos appeared first in
72
00:06:38,530 --> 00:06:43,730
this movies. So for example at Barbarella
the evil guy used a device called the
73
00:06:43,730 --> 00:06:50,460
Orgasmotron to cause so high levels of
arousal in humanity, to kill people. So
74
00:06:50,460 --> 00:06:54,770
basically the Internet to dildos was in
the 60s and 70s a weapon of mass
75
00:06:54,770 --> 00:06:58,840
destruction
*loud laughing*
76
00:06:58,840 --> 00:07:08,590
and not the weapon of mass pleasure, as it
should be. So a few years later a whole
77
00:07:08,590 --> 00:07:14,990
research area was formed. This research
area is called teledildonics and that's
78
00:07:14,990 --> 00:07:19,300
also not a joke again.
*laughing*
79
00:07:19,300 --> 00:07:25,690
And it was first mentioned by Ted Nelson.
He is a technical philosopher and he coins
80
00:07:25,690 --> 00:07:32,360
quite well-known terms like Transclusion,
Virtuality and Intertwingularity and
81
00:07:32,360 --> 00:07:36,020
Teledildonics. And he mentioned this term
at first in a book called Computer
82
00:07:36,020 --> 00:07:41,310
Lib/Dream Machines. Very interesting book
by the way. You should read it. And in
83
00:07:41,310 --> 00:07:48,890
this book he did interviews with people
who had yeah innovative and interesting
84
00:07:48,890 --> 00:07:54,390
ideas for the time but the technology was
not just ready yet. He did an interview
85
00:07:54,390 --> 00:08:00,580
with a guy called How Wachspress and How
Wachspress developed a device or had the
86
00:08:00,580 --> 00:08:05,310
idea for a device called auditac. When you
Google for auditac you find quite an
87
00:08:05,310 --> 00:08:10,730
ancient website called auditac.com. And
when you dig a little bit deeper you can
88
00:08:10,730 --> 00:08:16,160
find out that he's still looking to find a
manufacturer to sell his sonic stimulator.
89
00:08:16,160 --> 00:08:21,410
Sounds already quite interesting and even
has a patent and a small graphic for it.
90
00:08:21,410 --> 00:08:27,070
So it's basically a radio with one input
and two outputs. One input of course the
91
00:08:27,070 --> 00:08:31,610
antenna and the two outputs are one for
the headphones and the other output is for
92
00:08:31,610 --> 00:08:35,659
this sonic stimulator, which is inserted
from below in the human life-form.
93
00:08:35,659 --> 00:08:41,599
*laughing*
You even can find the patent on Google
94
00:08:41,599 --> 00:08:45,100
Patents and he writes there in his
abstract: Random or controlled
95
00:08:45,100 --> 00:08:49,370
electronically synthesized signals are
converted to sound waves that are directly
96
00:08:49,370 --> 00:08:54,220
coupled to the skin of a life form, yeah
such as a human body for example, to
97
00:08:54,220 --> 00:09:02,149
stimulate the skin or internal portions of
the life-form. So as we can see the ideas
98
00:09:02,149 --> 00:09:07,490
were there, but the technology was just
not ready in the 1970s and 1980s, but now
99
00:09:07,490 --> 00:09:13,069
we're in the year 2018 and we are
definitely ready for a penetration testing
100
00:09:13,069 --> 00:09:19,940
the Internet of dildos. And before I'm
going to talk about the test devices and
101
00:09:19,940 --> 00:09:24,250
the vulnerabilities, I'm going to make a
promise now. I will try to keep this as
102
00:09:24,250 --> 00:09:30,230
serious as possible. I will try to keep
the, I will call it the IPM stimulendous
103
00:09:30,230 --> 00:09:36,589
per minutes as low as possible. Yeah, and
now I just want to talk about the test
104
00:09:36,589 --> 00:09:40,880
devices because those are very important.
So I selected three test devices for my
105
00:09:40,880 --> 00:09:46,019
master's thesis. On the right side we have
the - that's not a joke again -
106
00:09:46,019 --> 00:09:49,280
Vibratissimo Panty Buster. That's the real
name.
107
00:09:49,280 --> 00:09:53,909
*laughing*
In the middle we have the MagicMotion
108
00:09:53,909 --> 00:10:00,920
Flamingo and on the left side we have the
RealLove Lydia. So the devices on the left
109
00:10:00,920 --> 00:10:05,209
side and in the middle have one thing in
common. They are manufactured in China.
110
00:10:05,209 --> 00:10:10,319
The device in the red right side is
manufactured in Germany. So, I have to
111
00:10:10,319 --> 00:10:14,899
admit I was a little bit biased because I
thought I am going to take a look at the
112
00:10:14,899 --> 00:10:19,719
Chinese devices first, because there will
be a lot of low hanging fruits. Question
113
00:10:19,719 --> 00:10:24,170
to the audience now: Who believes that I
found most of the vulnerabilities in the
114
00:10:24,170 --> 00:10:30,250
Chinese devices? Raise your hand.
*laughing*
115
00:10:30,250 --> 00:10:37,030
Who believes that have found most of the
vulnerabilities in the german device? Who
116
00:10:37,030 --> 00:10:40,180
believes that have found vulnerabilities
everywhere?
117
00:10:40,180 --> 00:10:44,910
*loud laughing*
Yeah you're basically all right. But when
118
00:10:44,910 --> 00:10:49,910
I took a look at the German device, I
found so many really really critical
119
00:10:49,910 --> 00:10:54,430
vulnerabilities that I immediately stopped
there and wrote my whole thesis about the
120
00:10:54,430 --> 00:10:58,299
Panty Buster.
*laughing*
121
00:10:58,299 --> 00:11:03,500
Okay, so the Panty Buster itself is just
one product out of a whole product line. I
122
00:11:03,500 --> 00:11:07,730
just bought the Panty Buster because it
was the cheapest one. They are basically
123
00:11:07,730 --> 00:11:13,310
using all the same backends, the same iOS
and Android apps. And yeah, the Panty
124
00:11:13,310 --> 00:11:19,100
Buster is basically a device which is
connected via Bluetooth to a smartphone
125
00:11:19,100 --> 00:11:23,990
and it can be used for example for long
distance relationships. But there is way
126
00:11:23,990 --> 00:11:29,459
more behind those apps, because there's
like a whole social media network built
127
00:11:29,459 --> 00:11:35,470
in. You can make group chats
*laughing*
128
00:11:35,470 --> 00:11:40,149
You can create image galleries, you can
maintain friends lists.
129
00:11:40,149 --> 00:11:45,140
*loud laughing*
Yeah, that's real. That's real. It's not a
130
00:11:45,140 --> 00:11:49,620
joke.
*applause*
131
00:11:49,620 --> 00:11:56,290
Yeah. And now we're going to analyze this
Panty Buster and take it down to the last
132
00:11:56,290 --> 00:12:01,080
parts. Yeah we're going to analyze the
software. I'm going to tell you a little
133
00:12:01,080 --> 00:12:05,660
bit about the transport layer and the
hardware of course. So I'd like to start
134
00:12:05,660 --> 00:12:09,100
with the software. So, the first
vulnerability we have to talk about this
135
00:12:09,100 --> 00:12:13,320
is so-called information disclosure. So
you might think nah boring, just some
136
00:12:13,320 --> 00:12:18,019
random version numbers. Yeah that's true
most of the time information disclosures
137
00:12:18,019 --> 00:12:24,670
are boring. But in this case it's really
critical because I found a so-called
138
00:12:24,670 --> 00:12:29,779
.DS_STORE file the web root. A .DS_STORE
file is basically a meta data file which
139
00:12:29,779 --> 00:12:35,810
is created by the MacOS finder and it
contains a lot of metadata, like files and
140
00:12:35,810 --> 00:12:40,579
folder names. So when you find such a file
in a web root you have basically a side
141
00:12:40,579 --> 00:12:45,819
channel directory listing. This .DS_STORE
file has a proprietary format but as for
142
00:12:45,819 --> 00:12:52,309
all problems in life, there is a Python
module to decode it. Yeah. And I decoded
143
00:12:52,309 --> 00:12:55,790
that .DS_STORE file and I was presented
with the following contents. So it's
144
00:12:55,790 --> 00:12:59,489
basically a side channel directory listing
of the web root. There are a lot of
145
00:12:59,489 --> 00:13:04,720
interesting files and folders so for
example: old page example, I have no idea
146
00:13:04,720 --> 00:13:09,319
why it's there in the productive
environment. There is a database folder
147
00:13:09,319 --> 00:13:14,170
but the most interesting folder is the
config folder. So whenever we get to the
148
00:13:14,170 --> 00:13:20,339
config folder, there was real directory
listing enabled and there was one file in
149
00:13:20,339 --> 00:13:31,969
there and it was called config.php.inc
with the following contents. So basically
150
00:13:31,969 --> 00:13:38,049
I had now access to the database hostname,
the database names usernames and
151
00:13:38,049 --> 00:13:43,029
passwords. The problem now was that as we
can see the database host is just
152
00:13:43,029 --> 00:13:47,800
localhost, there might be a chance that
it's not directly reachable via the
153
00:13:47,800 --> 00:13:51,570
Internet. And we have to find the so-
called exposed administrative interface to
154
00:13:51,570 --> 00:13:58,339
connect to the database. Yeah of course
the first thing I did was to do a
155
00:13:58,339 --> 00:14:05,499
portscan.
*laughing*
156
00:14:05,499 --> 00:14:17,450
*applause*
A lot of interesting ports. Sadly no SQL
157
00:14:17,450 --> 00:14:25,360
ports. But some of you might remember
this, let's call it weird brown orange web
158
00:14:25,360 --> 00:14:32,620
application, called phpMyAdmin and I found
a subdomain which contained the phpMyAdmin
159
00:14:32,620 --> 00:14:36,430
installation and I was able to use those
credentials to connect directly to the
160
00:14:36,430 --> 00:14:52,029
database and get access to all the data.
*applause*
161
00:14:52,029 --> 00:14:57,100
So I basically had access now to the real
life addresses, to messages in clear text
162
00:14:57,100 --> 00:15:04,639
which were exchanged, images, videos and a
lot of other stuff. So, yeah. And what
163
00:15:04,639 --> 00:15:10,420
hurt me the most was the following slide,
because the passwords were stored in clear
164
00:15:10,420 --> 00:15:20,259
text and that's really not necessary in
the 21st century. Okay. So in real life
165
00:15:20,259 --> 00:15:28,180
about 30 minutes have passed by
*loud laughing*
166
00:15:28,180 --> 00:15:32,599
and I tried to do a write up as fast as
possible and submitted to the german CERT-
167
00:15:32,599 --> 00:15:38,029
Bund. And yeah a few minutes later, I got
a really interesting call from the german
168
00:15:38,029 --> 00:15:42,209
CERT-Bund. They told me that the already
informed the manufacturer and they're
169
00:15:42,209 --> 00:15:47,649
already trying to fix those problems. So
my problem was now that I still had to
170
00:15:47,649 --> 00:15:53,070
write my master thesis and I just have
content for about 30 pages now and I need
171
00:15:53,070 --> 00:15:57,529
like hundred pages. So I did a little bit
of more research and found way more
172
00:15:57,529 --> 00:16:01,681
vulnerabilities of course. And the next
vulnerability I'm going to talk about is
173
00:16:01,681 --> 00:16:06,749
the so-called insecure Direct Object
reference. Sounds cryptic, but it isn't.
174
00:16:06,749 --> 00:16:11,290
It's basically always a vulnerability
which is consisting of two sub problems.
175
00:16:11,290 --> 00:16:16,569
So the first problem is, when someone
uploads resources to a backend those
176
00:16:16,569 --> 00:16:22,730
resources are most of the time renamed, to
like a random string which shouldn't be
177
00:16:22,730 --> 00:16:28,180
guessable. The first problem would be if
it would be guessable. But the second
178
00:16:28,180 --> 00:16:32,360
thing is, there should be authorization
checks in place. So if someone is able to
179
00:16:32,360 --> 00:16:39,800
guess those unique identifiers, there
should still be some like process which
180
00:16:39,800 --> 00:16:47,670
should check if the user should even be
able to download these resources. And in
181
00:16:47,670 --> 00:16:54,810
this case, yeah, it was just really easy
to guess the identifiers and there was no
182
00:16:54,810 --> 00:17:04,340
authorization whatsoever. And I had to
learn this the hard way, literally. There
183
00:17:04,340 --> 00:17:08,800
is a feature in the smartphone apps,
called galleries. So you can create
184
00:17:08,800 --> 00:17:13,470
galleries, you can set the visibility to
no one is able to see it, just your
185
00:17:13,470 --> 00:17:17,460
friends are able to see it , everyone is
able to see it. You can even set a
186
00:17:17,460 --> 00:17:23,550
password on those galleries. Yeah. And
just for a test I created a gallery with a
187
00:17:23,550 --> 00:17:27,990
few cats and when you request the gallery,
you see the following request. It's
188
00:17:27,990 --> 00:17:34,760
userManager.php blah blah blah username
password and some ID. And I thought maybe
189
00:17:34,760 --> 00:17:39,020
I should change this ID. And I was
presented with a dick pic.
190
00:17:39,020 --> 00:17:43,440
*laughing*
Yeah, the problem behind this is quite
191
00:17:43,440 --> 00:17:48,330
easy. Everything which is stored on the
server is renamed to a global counter. The
192
00:17:48,330 --> 00:17:53,350
global counter is incremented by one after
every upload. And there are no
193
00:17:53,350 --> 00:17:57,761
authorization checks whatsoever, because
the images are just stored in a server, so
194
00:17:57,761 --> 00:18:02,180
it doesn't matter if you set a password or
set the visibility. That's just nonsense
195
00:18:02,180 --> 00:18:10,340
to do. OK. So the next vulnerability. Yeah
I call it improper authentication. To be
196
00:18:10,340 --> 00:18:16,470
honest it was just a weird authentication.
At SEC consult I saw already a lot of
197
00:18:16,470 --> 00:18:20,750
different ways of implementing
authentication. Some are good some are
198
00:18:20,750 --> 00:18:24,200
bad, but it can be fixed. But in this case
it was just weird, I've never seen
199
00:18:24,200 --> 00:18:29,380
something like that. It's basically like
HTTP basic authentication but a little bit
200
00:18:29,380 --> 00:18:33,220
worse.
*laughing*
201
00:18:33,220 --> 00:18:37,250
So normally authentication works as
follows. You're sending a username and
202
00:18:37,250 --> 00:18:41,810
password to a server and if this process
is successful you get some kind of
203
00:18:41,810 --> 00:18:46,470
authorization information like a cookie or
an API token. You can use this cookie or
204
00:18:46,470 --> 00:18:53,510
API token to authorize all the other
requests. In this case every request
205
00:18:53,510 --> 00:18:57,420
contains just username and password and
clear text to authenticate through
206
00:18:57,420 --> 00:19:04,520
requests. That's just weird to be honest.
And also if your password is compromised,
207
00:19:04,520 --> 00:19:07,980
it will also mean that you have to change
your username because it's part of the
208
00:19:07,980 --> 00:19:14,370
authentication information. So weird,
weird implementation. Okay the next
209
00:19:14,370 --> 00:19:19,900
vulnerability is called the remote
pleasure version 1.0. It's 1.0 because
210
00:19:19,900 --> 00:19:25,660
there is a 2.0 .
*laughing*
211
00:19:25,660 --> 00:19:30,670
There is a feature in those apps where you
can create remote control links. They can
212
00:19:30,670 --> 00:19:36,310
be sent via SMS or email and everyone who
is in possession of those links can
213
00:19:36,310 --> 00:19:42,930
directly control the devices. There is no
extra confirmation needed. We'll take a
214
00:19:42,930 --> 00:19:53,180
look at the email now. There is a button
in the email called Quick Control and
215
00:19:53,180 --> 00:20:02,880
there is an ID again. Yeah the thing is
it's just a global counter again. And what
216
00:20:02,880 --> 00:20:06,990
an attacker can do now is download the
app, create his own quick control link,
217
00:20:06,990 --> 00:20:10,990
decrement the ID and pleasure just random
strangers on the Internet.
218
00:20:10,990 --> 00:20:25,310
*applause*
Okay I will show you guys a video now,
219
00:20:25,310 --> 00:20:31,750
where I'm doing exactly that.
*laughing*
220
00:20:31,750 --> 00:20:36,010
So when the video is going to start...
It's going to start, perfect. On the right
221
00:20:36,010 --> 00:20:41,420
side we're going to see an attacker device
which is just connected to the normal
222
00:20:41,420 --> 00:20:46,240
mobile network. And the attacker creates
his own quick control link and decrements
223
00:20:46,240 --> 00:20:50,790
the ID. On the left side we can see
another smartphone which is connected to
224
00:20:50,790 --> 00:20:58,840
Wi-Fi, to have Internet access and via
Bluetooth, to the smart sex toy. This
225
00:20:58,840 --> 00:21:05,420
attacker device should now be able to
control - yeah, you can see that now, in a
226
00:21:05,420 --> 00:21:22,860
few seconds. That's just what I explained.
*silence*
227
00:21:22,860 --> 00:21:26,420
*laughing*
There is no confirmation whatsoever so you
228
00:21:26,420 --> 00:21:32,540
can directly control all the devices.
Okay, I have to stop talking about
229
00:21:32,540 --> 00:21:37,120
software now. There is a lot more like
cross-scripting, HTTPs problems, outdated
230
00:21:37,120 --> 00:21:41,370
software, but there is not enough time
left now so we have to talk about the
231
00:21:41,370 --> 00:21:45,201
transport layer. Before I'm going to tell
you something about the vulnerabilities I
232
00:21:45,201 --> 00:21:51,990
have identified, I will tell you something
about Bluetooth low energy in general, the
233
00:21:51,990 --> 00:21:57,670
security basics and how authentication and
encryption works on a very high level. So
234
00:21:57,670 --> 00:22:03,460
you can imagine that Bluetooth Low Energy
basically works like a web API. So it's
235
00:22:03,460 --> 00:22:08,080
very high level explanation. You have API
endpoints. Those are the service
236
00:22:08,080 --> 00:22:12,070
characteristics and you have properties
where you can read and write to. So for
237
00:22:12,070 --> 00:22:18,470
example the device name can be read or
written to change the device name. There's
238
00:22:18,470 --> 00:22:22,190
also a lot of other characteristics which
will be very important when it comes to
239
00:22:22,190 --> 00:22:28,220
remote pleasure version 2.0 a little bit
later. So that's a very high level
240
00:22:28,220 --> 00:22:32,300
explanation, i know, but we don't have
enough time left. Talking about the
241
00:22:32,300 --> 00:22:39,010
security basics Bluetooth Low Energy is
using AES-CCM that's counter CBC with Mac.
242
00:22:39,010 --> 00:22:44,581
That's basically considered secure but as
we know, security also depends on the key
243
00:22:44,581 --> 00:22:50,450
material and the key exchange. At
Bluetooth Low Energy the key exchanged is
244
00:22:50,450 --> 00:22:54,200
defined as the pairing methods. For
Bluetooth Low Energy we have five pairing
245
00:22:54,200 --> 00:22:59,650
methods. We have just "No Pairing". So
yeah we basically throw packets into the
246
00:22:59,650 --> 00:23:05,770
air and if a device is nearby it tries to
do something with those packets. We have
247
00:23:05,770 --> 00:23:09,060
"Just Works", we have "Out of Band
Pairing", "Passkey" and "Numeric
248
00:23:09,060 --> 00:23:15,510
Comparison". I don't have to tell you the
details now. You all know those. It's
249
00:23:15,510 --> 00:23:19,370
numeric comparison, where we compare
numbers to exchange the key material. You
250
00:23:19,370 --> 00:23:24,800
have the Passkey, which is yeah like
always 0000 or 1234. We have Out of Band
251
00:23:24,800 --> 00:23:29,720
Pairing, where the key material is
exchanged via NFC for example and we have
252
00:23:29,720 --> 00:23:34,500
just works, that's really secure, where
the keys just set to zero and can be of
253
00:23:34,500 --> 00:23:41,940
course be brute forced with ease, but it
just works of course. So out of those five
254
00:23:41,940 --> 00:23:51,320
methods, what does the audience think the
sex toy is using? Is it using no pairing?
255
00:23:51,320 --> 00:23:59,290
Raise your hands. Is it using any of the
other more or less secure methods? Yeah.
256
00:23:59,290 --> 00:24:03,060
It's using no pairing.
*laughing*
257
00:24:03,060 --> 00:24:06,790
That means that the Android and iOS apps
just throw the packets into the air and if
258
00:24:06,790 --> 00:24:13,420
a device is nearby, it starts to vibrate
*laughing*
259
00:24:13,420 --> 00:24:17,250
and that's of course easily exploitable
you can just sniff the real traffic and
260
00:24:17,250 --> 00:24:22,410
repeat it. I did exactly that using a so-
called Bluetooth Low Energy sniffer. I
261
00:24:22,410 --> 00:24:26,580
used a bluefruit device, it works very
well and I placed it between the sex toy
262
00:24:26,580 --> 00:24:32,240
and the smartphone app. I sniffed the
traffic using wireshark and I found some
263
00:24:32,240 --> 00:24:38,970
interesting end points or handles. There
is the 1F handle which is like an
264
00:24:38,970 --> 00:24:45,230
initialization handle and there is the
handle 25, where you can send values from
265
00:24:45,230 --> 00:24:51,930
00 to FF to set the vibration intensity.
Yeah and now it's time for a little bit of
266
00:24:51,930 --> 00:25:02,840
War-dildoing. I wrote a small Python proof
of concept which basically scans the air
267
00:25:02,840 --> 00:25:08,390
for Bluetooth low energy devices. If it
finds a device. It tries to or tries to
268
00:25:08,390 --> 00:25:15,340
find out if it is a sex toy and if yes.
Yeah it basically turns it on to 100%, to
269
00:25:15,340 --> 00:25:18,450
FF.
*laughing*
270
00:25:18,450 --> 00:25:25,900
So the next thing I want to talk about is
not that funny. So please don't laugh now
271
00:25:25,900 --> 00:25:32,000
because when we released this, a lot of
people on Twitter asked "Is this rape?",
272
00:25:32,000 --> 00:25:39,230
so serious topic. For example the evil
attacker is using my War-dildoing script
273
00:25:39,230 --> 00:25:46,220
in the metro, in the U-Bahn in Vienna. And
he would just pleasure random strangers.
274
00:25:46,220 --> 00:25:52,950
Is this rape? In Austria we have two
different things. We have rape and sexual
275
00:25:52,950 --> 00:25:57,560
assault and they have two preconditions.
So that's violence - eh three
276
00:25:57,560 --> 00:26:02,720
preconditions. We have violence, threats
or deprivation of liberty, which is just
277
00:26:02,720 --> 00:26:07,820
not the case in this scenario. But we have
a special paragraph called, phew that's
278
00:26:07,820 --> 00:26:12,450
really hard to translate that. It's called
the Po-Grapsch paragraph. I know that's a
279
00:26:12,450 --> 00:26:15,960
little bit different in Germany and I'm
not a law expert so it just kept the
280
00:26:15,960 --> 00:26:22,240
Austrian laws which could be verified by
tourists. According to this paragraph this
281
00:26:22,240 --> 00:26:27,460
would be an unwanted sexual act, via a
third party object. So it's not rape, but
282
00:26:27,460 --> 00:26:35,020
it's an unwanted sexual act. Okay. The
hardware. Last but not least. The biggest
283
00:26:35,020 --> 00:26:40,190
problem is that firmware updates are not
possible. That was confirmed by the
284
00:26:40,190 --> 00:26:46,990
manufacturer. The problem here is a lot of
vulnerabilities can just be fixed by doing
285
00:26:46,990 --> 00:26:54,070
firmware updates and the manufacturer came
up with the idea, that the end users can
286
00:26:54,070 --> 00:26:58,520
send in their smart sex toys to do a
firmware update and I'm quite sure that
287
00:26:58,520 --> 00:27:04,550
nobody's sending in their used devices to
conduct a firmware update. The other
288
00:27:04,550 --> 00:27:09,450
problems are debug interfaces. They just
forgot to remove it or deactivate their
289
00:27:09,450 --> 00:27:15,740
serial interfaces on the sex toys. It's
just really easy to extract the firmware
290
00:27:15,740 --> 00:27:21,970
and do a little bit of more research on
the firmware. Okay. So you might now think
291
00:27:21,970 --> 00:27:27,070
I still want to use smart sex toys. What
can I do? Yeah the tin foil is not
292
00:27:27,070 --> 00:27:31,100
working.
*loud laughing*
293
00:27:31,100 --> 00:27:41,280
*applause*
But there are a lot of interesting open
294
00:27:41,280 --> 00:27:47,410
source projects out there. So first of all
the most famous project is the Internet of
295
00:27:47,410 --> 00:27:52,310
Dongs project. There is a really
interesting person behind that. He's
296
00:27:52,310 --> 00:27:56,610
called RenderMan. You can find him on
Twitter. He invented this project to make
297
00:27:56,610 --> 00:28:01,240
this whole Internet of Dongs a little bit
safer. And he's doing like penetration
298
00:28:01,240 --> 00:28:06,620
tests and stuff like that and he's even
handing out DVS. So that's the equivalent
299
00:28:06,620 --> 00:28:13,870
to CVS. Then we have buttplug.io and
metafetish. They are developing open
300
00:28:13,870 --> 00:28:18,680
source firmwares for a lot of different
sex toys and they're independent from all
301
00:28:18,680 --> 00:28:22,290
the manufacturers. And there is also
something called Onion Dildonics
302
00:28:22,290 --> 00:28:29,910
*laughing*
which has the goal of rerouting all the
303
00:28:29,910 --> 00:28:36,400
smart sex toy traffic over the TOR network
to make it a little bit more safer.
304
00:28:36,400 --> 00:28:48,680
*applause*
OK. There is one more thing. I had a lot
305
00:28:48,680 --> 00:28:57,260
of calls together with the manufacturer
and the german CERT-Bund. And one call was
306
00:28:57,260 --> 00:29:02,180
outstanding because we were discussing the
remote pleasure vulnerabilities. And we
307
00:29:02,180 --> 00:29:07,870
tried to explain the manufacturer that
it's not good that you can basically out
308
00:29:07,870 --> 00:29:13,640
of the box pleasure everyone on the
Internet or if you're nearby. We told them
309
00:29:13,640 --> 00:29:17,220
that it should be at least like an opt in
feature, where you can switch on this
310
00:29:17,220 --> 00:29:24,470
feature in the apps, but the manufacturer
said no that's not possible because, at
311
00:29:24,470 --> 00:29:28,890
least they believed that, most of our
customers are in swinger clubs and you
312
00:29:28,890 --> 00:29:33,230
don't know beforehand who is in the
swinger club. So there is just no optin,
313
00:29:33,230 --> 00:29:39,320
in a swing club, because you're basically
always in. Thank you.
314
00:29:39,320 --> 00:29:56,800
*applause*
Herald Angel: Secretary of Education you
315
00:29:56,800 --> 00:30:01,100
are now taking questions. We have five
microphones two in the front and three in
316
00:30:01,100 --> 00:30:08,350
the back. So please line up and ask
whatever you want. So apparently people on
317
00:30:08,350 --> 00:30:11,590
Twitter are engaged in a drinking game
where they were drinking every time you
318
00:30:11,590 --> 00:30:14,760
said penetration testing.
*loud laughing*
319
00:30:14,760 --> 00:30:21,330
*applause*
Herald: In the meantime we have a question
320
00:30:21,330 --> 00:30:24,880
from microphone number two.
Question: Did you come across anything
321
00:30:24,880 --> 00:30:28,760
with the patent trolls in teledildonics?
Answer: I came across what sorry?
322
00:30:28,760 --> 00:30:34,900
Q: patent trolls. There is a issue with
the teledildonics patent and some
323
00:30:34,900 --> 00:30:40,200
companies have been threatened to go out
of business because of frivolous lawsuits.
324
00:30:40,200 --> 00:30:45,210
A: Yes. Yes there was the I guess it was
called the teledildonics appreciation day
325
00:30:45,210 --> 00:30:50,910
in August because the patent ended. So you
can basically use the term wherever you
326
00:30:50,910 --> 00:30:55,770
want.
Herald: Thank you. Microphone number three
327
00:30:55,770 --> 00:31:01,900
please.
Q: So this was very funny obviously. And
328
00:31:01,900 --> 00:31:08,640
you showed us the really low hanging
fruit. On the website in the database you
329
00:31:08,640 --> 00:31:14,740
would have been able to see the social
graph of the users. I don't know if you
330
00:31:14,740 --> 00:31:19,620
have managed to look at other devices. Can
you elaborate a little bit more on
331
00:31:19,620 --> 00:31:27,430
something that I believe more serious.
Which is the profiling of users behavior,
332
00:31:27,430 --> 00:31:33,720
social networks and so on?
A: So of course it didn't take a look of
333
00:31:33,720 --> 00:31:37,230
all the data because it was so critical in
my opinion, that I directly contacted the
334
00:31:37,230 --> 00:31:42,360
CERT-Bund. So I can't give you any
information about the data of course. I
335
00:31:42,360 --> 00:31:46,090
also took a look at like things like
tracking and stuff like that and in this
336
00:31:46,090 --> 00:31:51,890
case there was not a lot of tracking going
on at the german sex toys. But when you
337
00:31:51,890 --> 00:31:55,570
compared it to the Chinese sex toys, there
is way more tracking and stuff like that
338
00:31:55,570 --> 00:32:01,570
going on. But I didn't took like a
detailed look into that.
339
00:32:01,570 --> 00:32:08,700
Herald: Thank you. Thank you again for
the educational and entertaining talk
340
00:32:08,700 --> 00:32:14,751
and hopefully a lot of rounds of applause.
341
00:32:14,751 --> 00:32:18,561
*applause*
342
00:32:18,561 --> 00:32:24,146
*35c3 postroll music*
343
00:32:24,146 --> 00:32:41,000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!